foundation:reverseproxy
Differences
This shows you the differences between two versions of the page.
| foundation:reverseproxy [2025/12/19 23:06] – created - external edit 127.0.0.1 | foundation:reverseproxy [2025/12/20 15:25] (current) – privacyl0st | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Reverse Proxy VM (NGINX) ====== | ||
| + | This virtual machine is the **gateway** of the Trash Panda ecosystem. It manages external access to internal services, handles SSL termination, | ||
| + | |||
| + | This page covers **only the VM setup and deployment**. NGINX configuration, | ||
| + | |||
| + | ===== Role of This VM in the Ecosystem ===== | ||
| + | The Reverse Proxy VM: | ||
| + | * Routes inbound traffic to internal services | ||
| + | * Terminates SSL/TLS via CERTBOT | ||
| + | * Acts as the single point of entry for web-facing services | ||
| + | * Lives in the DMZ to isolate external access | ||
| + | |||
| + | By isolating this service into a dedicated VM, we: | ||
| + | * Reduce attack surface for exposed services | ||
| + | * Simplify troubleshooting and maintenance | ||
| + | * Ensure predictable performance for all proxy and certificate operations | ||
| + | |||
| + | This VM should operate quietly and **securely mediate traffic** between the internet and internal services. | ||
| + | |||
| + | ===== Base Operating System ===== | ||
| + | * **Ubuntu Server 24.04 LTS** | ||
| + | * Minimal installation (no desktop environment) | ||
| + | * Automatic security updates enabled | ||
| + | |||
| + | Ubuntu LTS provides: | ||
| + | * Long-term security support | ||
| + | * Strong community documentation | ||
| + | * Stability for long-running, | ||
| + | |||
| + | This VM should run **headless** and be administered via SSH. | ||
| + | |||
| + | ===== Virtual Hardware Allocation ===== | ||
| + | |||
| + | ==== Memory (RAM) ==== | ||
| + | * **2 GB RAM (fixed allocation)** | ||
| + | |||
| + | Why 2 GB? | ||
| + | * NGINX and CERTBOT are lightweight applications | ||
| + | * Memory headroom ensures stable operation under traffic bursts | ||
| + | |||
| + | Avoid memory overcommit to maintain responsiveness for web requests. | ||
| + | |||
| + | ==== CPU Allocation ==== | ||
| + | * **2 vCPUs** | ||
| + | |||
| + | Traffic handling is: | ||
| + | * Burst-oriented rather than sustained | ||
| + | * Light on raw compute | ||
| + | * Sensitive to latency | ||
| + | |||
| + | Two vCPUs provide sufficient parallelism for proxy and certificate tasks. | ||
| + | |||
| + | ==== Storage Allocation ==== | ||
| + | * **30 GB virtual disk** | ||
| + | * Thin provisioned (recommended) | ||
| + | |||
| + | This storage is used for: | ||
| + | * OS and system packages | ||
| + | * NGINX installation and configuration | ||
| + | * SSL certificates, | ||
| + | |||
| + | **No media or user data is stored here.** This VM’s sole purpose is proxying and certificate management. | ||
| + | |||
| + | ===== Network Configuration ===== | ||
| + | This VM requires **one network interface**, | ||
| + | |||
| + | ==== NIC 1 — DMZ VLAN ==== | ||
| + | Purpose: | ||
| + | * Serve as the entry point for inbound web traffic | ||
| + | * Outbound access for CERTBOT and updates | ||
| + | * Communicate with internal services behind the proxy | ||
| + | |||
| + | Characteristics: | ||
| + | * Standard MTU (1500) | ||
| + | * Routed through firewall | ||
| + | * Static IP recommended | ||
| + | |||
| + | Placing the VM in the DMZ ensures: | ||
| + | * Isolation from internal LAN services | ||
| + | * Minimal attack surface | ||
| + | * Controlled, secure access to exposed services | ||
| + | |||
| + | ===== VMware Workstation Pro Configuration Notes ===== | ||
| + | Assuming VMware Workstation Pro 17: | ||
| + | * Attach a single virtual network adapter | ||
| + | * Bind to the physical NIC connected to the DMZ VLAN | ||
| + | * Disable unnecessary virtual hardware (sound, USB, etc.) | ||
| + | * Use VMXNET3 adapters for best performance | ||
| + | |||
| + | Do **not** connect this VM to the Primary LAN VLAN. | ||
| + | |||
| + | ===== Design Philosophy Recap ===== | ||
| + | This VM is designed to be: | ||
| + | * Quiet | ||
| + | * Predictable | ||
| + | * Disposable if needed | ||
| + | * Easy to rebuild | ||
| + | |||
| + | If it ever fails, you should be able to: | ||
| + | 1. Recreate the VM\\ | ||
| + | 2. Restore NGINX configuration and SSL certificates\\ | ||
| + | 3. Resume secure proxy operations | ||
| + | |||
| + | No irreplaceable data should live on the VM itself. | ||
| + | |||
| + | ===== What Comes Next ===== | ||
| + | Once the VM is deployed and reachable: | ||
| + | * Install and configure NGINX (native to OS) | ||
| + | * Configure CERTBOT and SSL certificate automation | ||
| + | * Integrate with internal services and firewall rules | ||
| + | * Configure backups and monitoring | ||
| + | |||
| + | Each of these topics is covered in their respective guides.\\ | ||
| + | |||
| + | A well-configured Reverse Proxy VM **keeps services accessible and secure** without fuss. | ||
foundation/reverseproxy.txt · Last modified: by privacyl0st